v4.14.0
middleware.Logger() has been deprecated. For request logging, use middleware.RequestLogger() or middleware.RequestLoggerWithConfig().
middleware.RequestLogger() replaces middleware.Logger(), offering comparable configuration while relying on the Go standard library’s new slog logger.
The previous default output format was JSON. The new default follows the standard slog logger settings. To continue emitting request logs in JSON, configure slog accordingly:
slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stdout, nil)))
e.Use(middleware.RequestLogger())
If you are developing anything more substantial than a demo, use middleware.RequestLoggerWithConfig()
Security
- Logger middleware json string escaping and deprecation by @aldas in https://github.com/labstack/echo/pull/2849
- Update deps by @aldas in https://github.com/labstack/echo/pull/2807
- refactor to use reflect.TypeFor by @cuiweixie in https://github.com/labstack/echo/pull/2812
- Use Go 1.25 in CI by @aldas in https://github.com/labstack/echo/pull/2810
- Modernize context.go by replacing interface{} with any by @vishr in https://github.com/labstack/echo/pull/2822
- Fix typo in SetParamValues comment by @vishr in https://github.com/labstack/echo/pull/2828
- Fix typo in ContextTimeout middleware comment by @vishr in https://github.com/labstack/echo/pull/2827
- Improve BasicAuth middleware: use strings.Cut and RFC compliance by @vishr in https://github.com/labstack/echo/pull/2825
- Fix duplicate plus operator in router backtracking logic by @yuya-morimoto in https://github.com/labstack/echo/pull/2832
- Replace custom private IP range check with built-in net.IP.IsPrivate by @kumapower17 in https://github.com/labstack/echo/pull/2835
- Ensure proxy connection is closed in proxyRaw function(#2837) by @kumapower17 in https://github.com/labstack/echo/pull/2838
- Update deps by @aldas in https://github.com/labstack/echo/pull/2843
- Logger middleware json string escaping and deprecation by @aldas in https://github.com/labstack/echo/pull/2849
- Update golang.org/x/* deps by @aldas in https://github.com/labstack/echo/pull/2850
- Changelog for 4.14.0 by @aldas in https://github.com/labstack/echo/pull/2851
- @cuiweixie made their first contribution in https://github.com/labstack/echo/pull/2812
- @yuya-morimoto made their first contribution in https://github.com/labstack/echo/pull/2832
- @kumapower17 made their first contribution in https://github.com/labstack/echo/pull/2835
Full Changelog: https://github.com/labstack/echo/compare/v4.13.4...v4.14.0
v4.13.4
- chore: fix some typos in comment by @zhuhaicity in https://github.com/labstack/echo/pull/2735
- CI: test with Go 1.24 by @aldas in https://github.com/labstack/echo/pull/2748
- Add support for TLS WebSocket proxy by @t-ibayashi-safie in https://github.com/labstack/echo/pull/2762
Security
- Update dependencies for GO-2025-3487, GO-2025-3503 and GO-2025-3595 in https://github.com/labstack/echo/pull/2780
- @zhuhaicity made their first contribution in https://github.com/labstack/echo/pull/2735
- @t-ibayashi-safie made their first contribution in https://github.com/labstack/echo/pull/2762
Full Changelog: https://github.com/labstack/echo/compare/v4.13.3...v4.13.4
v4.13.3
Security
- Update golang.org/x/net dependency GO-2024-3333 in https://github.com/labstack/echo/pull/2722
Full Changelog: https://github.com/labstack/echo/compare/v4.13.2...v4.13.3
v4.13.2 - update dependencies
Security
- Update dependencies (dependabot reports https://pkg.go.dev/vuln/GO-2024-3321 by @aldas in https://github.com/labstack/echo/pull/2721
Full Changelog: https://github.com/labstack/echo/compare/v4.13.1...v4.13.2
v4.13.1
Fixes
- Fix BindBody ignoring
Transfer-Encoding: chunkedrequests (introduced in #2710) by @178inaba in https://github.com/labstack/echo/pull/2717
Full Changelog: https://github.com/labstack/echo/compare/v4.13.0...v4.13.1
JWT Middleware Removed
The JWT middleware has been removed from Echo core due to another security vulnerability, CVE-2024-51744. For more details, refer to issue #2699. A drop-in replacement is available in the labstack/echo-jwt repository or see alternative implementation
Important: Direct assignments like token := c.Get("user").(*jwt.Token) will now cause a panic due to an invalid cast. Update your code accordingly. Replace the current imports from "github.com/golang-jwt/jwt" in your handlers to the new middleware version using "github.com/golang-jwt/jwt/v5".
Background:
The version of golang-jwt/jwt (v3.2.2) previously used in Echo core has been in an unmaintained state for some time. This is not the first vulnerability affecting this library; earlier issues were addressed in PR #1946. JWT middleware was marked as deprecated in Echo core as of v4.10.0 on 2022-12-27. If you did not notice that, consider leveraging tools like Staticcheck to catch such deprecations earlier in you dev/CI flow. For bonus points - check out gosec.
We sincerely apologize for any inconvenience caused by this change. While we strive to maintain backward compatibility within Echo core, recurring security issues with third-party dependencies have forced this decision.
Enhancements
- remove jwt middleware by @stevenwhitehead in https://github.com/labstack/echo/pull/2701
- optimization: struct alignment by @behnambm in https://github.com/labstack/echo/pull/2636
- bind: Maintain backwards compatibility for map[string]interface{} binding by @thesaltree in https://github.com/labstack/echo/pull/2656
- Add Go 1.23 to CI by @aldas in https://github.com/labstack/echo/pull/2675
- improve
MultipartFormtest by @martinyonatann in https://github.com/labstack/echo/pull/2682 bind: add support of multipart multi files by @martinyonatann in https://github.com/labstack/echo/pull/2684- Add TemplateRenderer struct to ease creating renderers for
html/templateandtext/templatepackages. by @aldas in https://github.com/labstack/echo/pull/2690 - Refactor TestBasicAuth to utilize table-driven test format by @ErikOlson in https://github.com/labstack/echo/pull/2688
- Remove broken header by @aldas in https://github.com/labstack/echo/pull/2705
- fix(bind body): content-length can be -1 by @phamvinhdat in https://github.com/labstack/echo/pull/2710
- CORS middleware should compile allowOrigin regexp at creation by @aldas in https://github.com/labstack/echo/pull/2709
- Shorten Github issue template and add test example by @aldas in https://github.com/labstack/echo/pull/2711
- @behnambm made their first contribution in https://github.com/labstack/echo/pull/2636
- @thesaltree made their first contribution in https://github.com/labstack/echo/pull/2656
- @martinyonatann made their first contribution in https://github.com/labstack/echo/pull/2682
- @ErikOlson made their first contribution in https://github.com/labstack/echo/pull/2688
- @phamvinhdat made their first contribution in https://github.com/labstack/echo/pull/2710
- @stevenwhitehead made their first contribution in https://github.com/labstack/echo/pull/2701
Full Changelog: https://github.com/labstack/echo/compare/v4.12.0...v4.13.0
v4.12.0
Security
- Update golang.org/x/net dep because of GO-2024-2687 by @aldas in https://github.com/labstack/echo/pull/2625
Enhancements
- binder: make binding to Map work better with string destinations by @aldas in https://github.com/labstack/echo/pull/2554
- README.md: add Encore as sponsor by @marcuskohlberg in https://github.com/labstack/echo/pull/2579
- Reorder paragraphs in README.md by @aldas in https://github.com/labstack/echo/pull/2581
- CI: upgrade actions/checkout to v4 by @aldas in https://github.com/labstack/echo/pull/2584
- Remove default charset from 'application/json' Content-Type header by @doortts in https://github.com/labstack/echo/pull/2568
- CI: Use Go 1.22 by @aldas in https://github.com/labstack/echo/pull/2588
- binder: allow binding to a nil map by @georgmu in https://github.com/labstack/echo/pull/2574
- Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by @RyoKusnadi in https://github.com/labstack/echo/pull/2461
- fix some typos by @teslaedison in https://github.com/labstack/echo/pull/2603
- fix: some typos by @pomadev in https://github.com/labstack/echo/pull/2596
- Allow ResponseWriters to unwrap writers when flushing/hijacking by @aldas in https://github.com/labstack/echo/pull/2595
- Add SPDX licence comments to files. by @aldas in https://github.com/labstack/echo/pull/2604
- Upgrade deps by @aldas in https://github.com/labstack/echo/pull/2605
- Change type definition blocks to single declarations. This helps copy… by @aldas in https://github.com/labstack/echo/pull/2606
- Fix Real IP logic by @cl-bvl in https://github.com/labstack/echo/pull/2550
- Default binder can use
UnmarshalParams(params []string) errorinter… by @aldas in https://github.com/labstack/echo/pull/2607 - Default binder can bind pointer to slice as struct field. For example
*[]stringby @aldas in https://github.com/labstack/echo/pull/2608 - Remove maxparam dependence from Context by @aldas in https://github.com/labstack/echo/pull/2611
- When route is registered with empty path it is normalized to
/. by @aldas in https://github.com/labstack/echo/pull/2616 - proxy middleware should use httputil.ReverseProxy for SSE requests by @aldas in https://github.com/labstack/echo/pull/2624
- @marcuskohlberg made their first contribution in https://github.com/labstack/echo/pull/2579
- @doortts made their first contribution in https://github.com/labstack/echo/pull/2568
- @georgmu made their first contribution in https://github.com/labstack/echo/pull/2574
- @RyoKusnadi made their first contribution in https://github.com/labstack/echo/pull/2461
- @teslaedison made their first contribution in https://github.com/labstack/echo/pull/2603
- @pomadev made their first contribution in https://github.com/labstack/echo/pull/2596
- @cl-bvl made their first contribution in https://github.com/labstack/echo/pull/2550
Full Changelog: https://github.com/labstack/echo/compare/v4.11.4...v4.12.0
v4.11.4 upgrade dependencies
Security
Enhancements
- Update deps and mark Go version to 1.18 as this is what golang.org/x/* use #2563
- Request logger: add example for Slog https://pkg.go.dev/log/slog #2543